How can I detect a spoofed IBAN?

Key signals include: the IBAN country code does not match the supplier's registered country; the bank name returned by IBAN validation does not match your supplier record; the bank detail change arrived only by email with no out-of-band confirmation; or the message includes unusual urgency language. Always validate the IBAN and compare the returned bank name against your supplier master before authorising payment.

Does MOD-97 validation detect IBAN spoofing?

No. MOD-97 validates the mathematical consistency of the check digits — it confirms the IBAN was not accidentally corrupted, not that it belongs to the intended beneficiary. A spoofed IBAN is deliberately constructed to be structurally valid. MOD-97 is necessary but not sufficient; you must also compare the bank name returned by validation against your supplier records.

IBAN Spoofing: How Attackers Manipulate Bank Account Numbers

Q: What is IBAN spoofing?

IBAN spoofing is payment fraud in which an attacker substitutes a legitimate beneficiary's IBAN with one under their control. The substitution typically happens in a PDF invoice or an intercepted email. The spoofed IBAN is structurally valid — it passes the MOD-97 check — so the bank processes the payment normally, sending funds to the attacker's account.

IBAN spoofing is a category of payment fraud in which an attacker substitutes a legitimate beneficiary's IBAN with one under their control, causing funds to be transferred to the wrong account. The substitution can happen at multiple points in the payment workflow — in an email, inside a PDF invoice, or in transit between systems — and the victim's bank has no way to detect it after the payment instruction is submitted. This guide explains how IBAN spoofing attacks work, where they appear in the wild, and how validation at the right checkpoint stops them.

What Is IBAN Spoofing?

IBAN spoofing is not a single technique — it is a goal. The attacker's goal is to get the payer to authorise a payment to a fraudulent IBAN while believing they are paying a legitimate supplier, landlord, or business partner. The IBAN they see and the IBAN the payment actually travels to are different.

The spoofed IBAN is always a structurally valid IBAN. It passes the MOD-97 check digit algorithm, belongs to a real country, and has the correct length. This is deliberate: the attacker generates a valid IBAN for a bank account they control — often in the same country as the legitimate beneficiary to avoid raising suspicion — and replaces only the account portion of the payment instruction.

Man-in-the-Middle Email Interception

The most common IBAN spoofing vector is Business Email Compromise (BEC) combined with man-in-the-middle interception of payment instructions. The attack sequence:

The attacker gains access to either the supplier's or buyer's email account — typically via phishing, credential stuffing, or purchasing credentials on the dark web.
The attacker monitors incoming and outgoing email for payment-related messages: invoices, bank detail confirmations, remittance advice.
When a legitimate payment instruction arrives, the attacker intercepts it, replaces the IBAN with their own, and forwards the modified message to the recipient — sometimes restyling it to match the expected sender's format.
The payer, seeing a familiar email thread and a plausible IBAN, processes the payment.

The UK Finance Annual Fraud Report (2024) attributed £236 million in losses to authorised push payment (APP) fraud, with supplier impersonation accounting for the largest single category. The majority of supplier impersonation cases involve IBAN substitution.

PDF Invoice Manipulation

PDF invoices are a particularly effective attack surface because PDF editing is trivial and the modified file is visually identical to the original. Attackers obtain a legitimate invoice — either by compromising email or requesting one as a prospective customer — and use freely available tools to edit the IBAN field before re-sending.

The edited PDF carries no visible trace of modification. The embedded IBAN text is changed but the layout, logo, fonts, and signatures remain intact. Anti-virus and spam filters do not detect the change. The only defence is to compare the IBAN in the received PDF against a previously verified source — a phone call, a secure supplier portal, or the original onboarding form.

In 2023, the European Union Agency for Cybersecurity (ENISA) identified PDF manipulation as the dominant method in IBAN fraud cases reported to national CERT teams, accounting for 58% of documented incidents in the SME sector.

Lookalike IBANs and Visual Similarity Attacks

A subtler variant exploits the visual similarity between characters to create IBANs that look correct at a glance but contain substituted characters:

The digit 0 (zero) versus the letter O
The digit 1 versus the letter I or l
The digit 5 versus the letter S
The digit 8 versus the letter B

These substitutions usually fail the MOD-97 check, but attackers who understand the algorithm can compute valid check digits around the substitution. The resulting IBAN is valid but belongs to a different account. This attack is most effective when the payer is visually reviewing a long IBAN string in a small font.

How IBAN Spoofing Survives Bank Processing

Banks do not verify that the account name matches the IBAN for most payment types. In the EU, the Instant Payments Regulation (2024/886) mandates IBAN-name matching for euro instant transfers — but this requirement only became enforceable in January 2025 and covers only instant credit transfers. Standard SEPA Credit Transfers and SWIFT payments do not carry a mandatory name-match check. The payer's bank processes the IBAN provided; if the IBAN is structurally valid, the payment is executed.

Once the payment clears, recovery is extremely difficult. The receiving bank is not obligated to return funds if the account holder disputes the recall. Cross-border recovery through SWIFT gpi's recall mechanism requires the cooperation of the beneficiary bank and can take weeks. Domestic recovery through the Payment Services Regulator or Ombudsman schemes applies only to certain payment types and jurisdictions.

Detection: How to Spot a Spoofed IBAN

Several signals indicate that an IBAN may have been substituted:

Country code mismatch: The supplier is based in Germany but the IBAN starts with RO (Romania) or CY (Cyprus). The IBAN country code should match the supplier's registered country in most cases.
Bank mismatch: The bank embedded in the IBAN does not match the bank the supplier uses for other transactions. Use the ibanchecker.cash API or the IBAN checker to extract the bank name from the IBAN and compare it against your supplier record.
Unsolicited change request: The supplier contacts you to update their bank details — especially via email only, without an accompanying phone confirmation. Legitimate suppliers rarely change IBANs mid-relationship; attackers do so routinely.
Email header anomalies: The reply-to address differs from the from address, or the sending domain is a lookalike (e.g. supplier-uk.com instead of supplier.co.uk).
Pressure and urgency: The message emphasises that payment must be made immediately to a new account or a penalty will apply. This is a social engineering signal, not a financial one.

Prevention: IBAN Validation as a Control

IBAN validation does not, by itself, prevent spoofing — a spoofed IBAN is structurally valid. But validation is a necessary component of a broader control framework:

Validate at onboarding: When a new supplier submits their IBAN, validate it immediately and store the validation result — bank name, BIC, country — alongside the IBAN. This creates a reference point for future comparison.
Re-validate on every change: Any change to a supplier's IBAN must trigger a new validation plus an out-of-band confirmation (phone call to a number from your records, not a number provided in the change request). Log the change with timestamp and who approved it.
Compare bank against expectation: If the bank name returned by validation does not match the bank in your supplier record, escalate for manual review before processing any payment.
Use the bulk validator for periodic audits: Run your entire supplier IBAN database through the bulk IBAN checker quarterly. IBANs that now return a different bank name than when first validated are candidates for review.

Organisational Controls

Technical validation catches structural errors and bank mismatches, but IBAN spoofing ultimately succeeds through social engineering. Complementary organisational controls:

Dual authorisation: Payments above a defined threshold require approval from two separate individuals. The second approver independently verifies the IBAN against the supplier record.
Supplier portal for bank detail updates: Never accept IBAN changes by email alone. Route all bank detail changes through a secured portal with two-factor authentication, and require the supplier to authenticate from a previously verified identity.
Staff training: Accounts payable staff are the primary target. Train them to recognise urgency language, domain spoofing, and out-of-band confirmation requirements. Run periodic simulated spoofing exercises.
Callback verification policy: Any new IBAN or IBAN change request must be confirmed by a callback to the supplier's registered phone number before it is activated in the payment system.

Validate Supplier IBANs with ibanchecker.cash

The ibanchecker.cash IBAN checker extracts the bank name and BIC from any IBAN in real time. Paste a supplier's IBAN into the checker before authorising a payment — if the bank name returned does not match your records, do not proceed until you have confirmed the IBAN by phone.

For automated validation in your ERP or accounts payable system, the ibanchecker.cash API provides the same lookup via REST. A single POST to /api/v1/validate returns the bank name, BIC, country, and validity result in under 100 ms. All validation runs in memory — no IBAN data is retained.

Last updated: June 2026